A senior technology auditor has raised concerns
about his profession's awareness of the risks posed by critical infrastructure operators' shift from proprietary systems to open standards-based structures for the management of important tasks.
Certified information systems auditor (CISA) Barry Munns told
ZDNet Australia the IT auditing profession had "largely
ignored" moves by energy, gas and water utilities to adopt open
standards for their telemetry and telecontrol infrastructure,
often known as supervisory control and data acquisition (SCADA)
systems and the dangers this created. These systems allow
remote control or monitoring of infrastructure, such as
substations or water pipes.
"There's a bit of a generational change that's happening,"
"Moving away from fairly closed system, proprietary type
structures -- software and operating systems, to more open
systems or public type systems. All the risks associated with
things like hacking and denial of service, those risks are now
very much coming to the fore in SCADA."
Munns has audited such systems for Energy Australia, and
recently joined the Australian Nuclear Science and Technology
"SCADA telemetry and telecontrol systems are moving towards
that open arrangement and that inter-connected kind of model," he
"As an IT auditor, it's an area that's largely ignored and
generally not known about.
"I think it's an area that doesn't have a great deal of
profile in my profession."
While attackers would previously have had to have a high degree of specialised knowledge and sometimes physical access to the critical infrastructure operators' facilities to wreak havoc, now there task was a lot more simple, according to Munns.
"Whereas before you might have had a very much closed system, a
proprietary SCADA system that you bought from a company and they
gave you all the hardware and software ... and it was very unique
to that arrangement.
"Nowadays, you might buy a SCADA system or develop a SCADA
system but you might be using Linux as your operating system, you
might be using TCP/IP as your communication protocol, you might
be using generally available firewall software. So all of a
sudden you're using stuff that is common. And because it's
common, it's more exposed.
"So whereas before there might've only been a very small number
of people who knew about this stuff ... we're actually moving to
an area where you don't have to be an insider anymore. That's
where the problem arises."
This greatly increased the number of potential attackers,
"Often you needed physical access to these things to be able
to get up to no good, well that level of security has been done
away with as we move towards open standards."
Munns said more organisations needed to adopt IT governance
frameworks in order to realise the risks.
"I'd strongly recommend the application of 7799 Information
Security standard, in any organisation," he said.
The federal government last year published advice for chief executive officers on SCADA systems, and runs security forums such as the Trusted Information Sharing Network (TISN) to deal with the risks.
Munns declined to comment on Energy Australia's SCADA